How do Social Security's signature processes meet the requirements for a valid authorization under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule?

The HIPAA Privacy Rule (45 CFR 164.508(c)) requires that valid authorization forms contain certain core elements, including a signature. Social Security’s form contains all of the required elements.

The Department of Health and Human Services’ Office of Civil Rights has stated that Social Security’s use of an employee attestation process or an internet click-and-sign process to execute the SSA-827 (Authorization to Disclose Information to the Social Security Administration) would result in a validly executed HIPAA authorization, provided the processes comply with the Office of Management and Budget’s (OMB) procedures issued pursuant to the Government Paperwork Elimination Act (GPEA) (Public Law 105-277).

Under GPEA, OMB ensures that agencies, when practicable, provide for the option of electronic maintenance, submission or disclosure of information and for the use and acceptance of electronic signatures. GPEA states that electronic records submitted or maintained in accordance with the procedures developed by OMB, or electronic signatures or other forms of electronic authentication used in accordance with such procedures, “shall not be denied legal effect, validity, or enforceability merely because such records are in electronic form” (Pub. L. 105-277, section 1707). Social Security developed its attestation process and internet click and sign process in accordance with OMB procedures.

What steps does Social Security take to verify the identity of the signer?

To verify the identity of the signer, we match the disability applicant’s answers during the application process with the following information in our records: name, date of birth, Social Security number, place of birth, work history, and mother’s maiden name. Further, Social Security employees must resolve any inconsistencies identified during the extensive application and evidence development processes before a claim can proceed.

How does Social Security protect the information that it gets from health care providers?

In response to a request from us, the provider makes the authorized disclosure only to Social Security or to our affiliated State disability determination service offices. The provider is never instructed to release the information to an individual. Once we have the information, Social Security will only redisclose information under very limited circumstances allowed by law. Individuals who request their own records from us must pass identity verification before we will provide access to the records.

Is a disclosure to Social Security safe?

We recognize that ensuring proper disclosure of personally identifiable information is a complex and important responsibility, particularly in light of the variety of requestors and possible signature types.

We place the highest value on individual privacy and information security, while still seeking operational efficiency. Requests from Social Security and its affiliated state agencies (disability determination services) present a unique circumstance warranting special consideration. Disclosure to Social Security is safe for many reasons:

We are a known, recurring, and frequent source of requests for information.

On behalf of our claimants nationwide, we request approximately 15 million medical records each year.

Every request to medical sources comes directly from Social Security or our affiliated State agencies – our requests never come from a third-party source.

We always send the same, standardized, HIPAA-compliant authorization form with our requests for records.

Every request is in the context of an active disability case.

We have a thorough and transparent signature process for our authorization form.

For every claimant that applies for Social Security disability benefits, we always take the following steps:

We verify personal information against information in our records to establish that the individual applying for benefits and signing the authorization form is who he or she purports to be.

We explain the disability claims process and the purpose of signing the authorization form, and we give the claimant the opportunity to review the form before signing.

We transmit the form directly to our systems to protect it from alteration after signing and link it to the disability claim.

We retain a record of the claim and the form in our systems.

We provide claimants with a copy of the same signed image we will provide to their sources of information.

We protect the information we receive.

The Privacy Act of 1974 governs the information Social Security collects and retains. We have implemented stringent policies to protect personally identifiable information and prevent improper redisclosure. We do not redisclose the information we receive, except in limited situations allowed by law. Even redisclosures to claimants themselves require compliance with strict procedures, which include verification of identity.

Social Security has built a strong reputation for safeguarding the privacy of individuals and the security of our information systems. Like all custodians of personally identifiable information, we have a responsibility to take reasonable steps to prevent improper disclosures. We are proud of our stringent policies for preventing improper disclosure and our record of protecting personal information.

Why is Social Security using an employee attestation process for Form SSA-827 when individuals apply for disability benefits by telephone or in a Social Security office?

Social Security continually looks for ways to provide electronic options for gathering the information we need to process claims for benefits.

Since 2004, Social Security has successfully processed millions of retirement, survivors, and disability applications, by using click-and-sign signatures for applications filed online, and by using employee attested signatures for applications taken in person and over the telephone. We are now extending these trusted processes to the SSA-827 in order to speed our handling of that form. Both of our signature processes include:

verification of the claimant’s identity;

a full explanation of the purpose of signing the authorization to disclose information to SSA;

opportunity to review the SSA-827 prior to signing;

the option to explicitly demonstrate intent to authorize disclosure;

a copy of the signed SSA-827 as a receipt; and

an auditable trail within SSA’s case processing systems that documents the signature process.

Important Information:

Other Government Websites:

Follow:

External Link Disclaimer

You are exiting the Social Security Administration's website.

Select OK to proceed.

Disclaimer

The Social Security Administration (SSA) website contains links to websites not affiliated with the United States government. These may include State and Local governmental agencies, international agencies, and private entities.

SSA cannot attest to the accuracy of information provided by such websites. If we provide a link to such a website, this does not constitute an endorsement by SSA or any of its employees of the information or products presented on the non-SSA website.

Also, such websites are not within our control and may not follow the same privacy, security or accessibility policies. Once you visit such a website, you are subject to the policies of that site.